Configuration item (CI) data that Discovery collects can be separated into domains.
How Discovery domain separation works
Discovery implements data domain separation through the MID server by impersonating the MID
Server user during sensor processing. Discovery uses the domain that the MID Server user is in
to determine which domain the discovered data should be put into. Discovery configuration
information, including classifiers, identifiers, probes, and sensors, is not domain
Domain separation for Discovery is available starting with the Helsinki release.
Note: Discovery of Amazon Web Services and Microsoft Azure cloud resources does not support
domain separation because MID Servers are not used.
Domain separation for MID Server files
You can create versions of these specific MID Server policy records that
only a MID Server from the same domain can use. This process separation is supported for records
in tables that extend MID Server Synchronized Files [ecc_agent_sync_file]:
- MID Server MIB File [ecc_agent_mib]
- MID Server JAR File [ecc_agent_jar]
- MID Server Script File [ecc_agent_script_files]
By default, all records in these tables are members of the global domain. A user can override
the default global domain and create a version of these policies for use in the user's own
Note: Attachments on MIB or JAR file records might not appear as they did in a non-domain
separated environment. This occurs because the Attachments [sys_attachment] table is data
separated. When data is
separated between domains, a record in a child domain cannot access records in a parent domain.
Domain separated tables
Records in all tables that extend the Base Configuration Item [cmdb] table can be domain
separated. In addition, records in these tables can also be domain separated:
- Serial Number [cmdb_serial_number]
- TCP Connection [cmdb_tcp]
- Fibre Channel Initiator [cmdb_fc_initiator]
- Fibre Channel Targets [cmdb_fc_target]
- IP Address to DNS Name [cmdb_ip_address_dns_name]
- Service [cmdb_ip_service_ci]
- KVM Virtual Device [cmdb_kvm_device]
- Load Balancer Service VLAN [cmdb_lb_service_vlan]
- Load Balancer VLAN Interface [cmdb_lb_vlan_interface]
- Switch Port [cmdb_switch_port]
Set up domain separation for MID servers
Set up domain separation through the MID server user role and the MID Server
Role required: admin, agent_admin
When the MID Server connects to the instance, the MID Server record is created in
the proper domain.
Configure a MID Server
user within a specified domain with the proper
Specify this user within the MID Server config.xml file.
When you set the MID Server user
credentials in the config.xml file, make sure
they are in the proper domain.
If you must change the MID Server domain:
- Stop the MID Server and delete the ecc_agent record.
- Update the MID Server config.xml with the new user in
the new domain and restart the MID Server service.
If you need to create versions of specific MID Server files that only MID Servers in
your domain can use:
- Open or create a record in one of these MID Server modules:
- SNMP MIBs
- JAR Files
- Script Files
- Update an existing domain policy or submit a new record. The system
overrides the global domain configuration with your domain and saves a new
copy of the record. The MID Servers in your domain can only access records
in the global domain and records overridden by your specific domain.
Note: Attachments on MIB or JAR file records might not appear as they
did in a non-domain separated environment. This occurs because the
Attachments [sys_attachment] table is data separated. When data is
separated between domains, a record in a child domain cannot access
records in a parent domain.